August 28, 2024 at 07:39AM
The BlackByte ransomware group has been found exploiting a recently patched security flaw in VMware ESXi hypervisors, and using vulnerable drivers to bypass security protections, according to a report from Cisco Talos. The group is also targeting various sectors and has been observed evolving its tactics to evade detection and analysis.
From the provided meeting notes, the following key points can be summarized:
1. BlackByte ransomware group exploits CVE-2024-37085 to target VMware ESXi hypervisors and leverages vulnerable drivers to bypass security protections.
2. They have a history of exploiting ProxyShell vulnerabilities in Microsoft Exchange Server and use double extortion tactics to pressure victims for ransom payments.
3. The group has a range of ransomware variants written in C, .NET, and Go, showcasing their evolving modus operandi.
4. The U.S. government has attributed BlackByte to financially motivated attacks targeting critical infrastructure sectors.
5. The group has been observed using valid credentials to access victim organizations’ VPN for remote access, as well as exploiting vulnerabilities to gain administrator privileges and escalate their attacks.
6. BlackByte utilizes advanced anti-analysis and anti-debugging techniques by incorporating C/C++ in their latest encryptor, BlackByteNT.
7. Group-IB has unpacked tactics associated with other ransomware strains, Brain Cipher and RansomHub, with potential connections to other ransomware groups.
These comprehensive takeaways provide a clear understanding of the BlackByte ransomware group’s tactics, techniques, and recent activities, as well as insights into the broader ransomware landscape.